Nkhaniyi ndi gawo la mndandanda wa Fileless Malware. Magawo ena onse amndandanda:
- Adventures of the Elusive Malware, Gawo II: Zobisika za VBA Scripts (tiri pano)
Ndine wokonda tsambali (kusanthula kosakanizidwa, pambuyo pake HA). Uwu ndi mtundu wa zoo yaumbanda komwe mutha kuyang'ana "zolusa" zakuthengo mutalikirana popanda kuukiridwa. HA imayendetsa pulogalamu yaumbanda m'malo otetezedwa, imajambulitsa mafoni pamakina, mafayilo opangidwa ndi kuchuluka kwapaintaneti, ndikukupatsirani zotsatirazi pazachitsanzo zilizonse zomwe amasanthula. Mwanjira iyi, simuyenera kuwononga nthawi yanu ndi mphamvu zanu kuyesa kupeza code yosokoneza nokha, koma mutha kumvetsetsa nthawi yomweyo zolinga za owononga.
Zitsanzo za HA zomwe zidandichititsa chidwi zimagwiritsa ntchito zolemba za JavaScript kapena Visual Basic for Applications (VBA) zophatikizidwa ngati macros muzolemba za Mawu kapena Excel ndikuphatikizidwa ndi maimelo achinyengo. Akatsegulidwa, ma macros amayambitsa gawo la PowerShell pakompyuta ya wozunzidwayo. Ma hackers nthawi zambiri amatumiza malamulo osungidwa a Base64 ku PowerShell. Zonsezi zachitika kuti kuukirako kukhale kovuta kuzindikira ndi zosefera pa intaneti ndi mapulogalamu a antivayirasi omwe amayankha mawu ena osafunikira.
Mwamwayi, HA imasankha yokha Base64 ndikuwonetsa zonse mumtundu wowerengeka nthawi yomweyo. Kwenikweni, simuyenera kuyang'ana kwambiri momwe zolemberazi zimagwirira ntchito chifukwa mutha kuwona zonse zomwe zikuyenda pagawo lolingana la HA. Onani chitsanzo pansipa:
Kusanthula kwa Hybrid kumadutsa malamulo osungidwa a Base64 otumizidwa ku PowerShell:
...ndiyeno ndikuzisinthira izo. #mwamatsenga
Π Ndinapanga chidebe changa cha JavaScript chosokoneza pang'ono kuti ndiyendetse gawo la PowerShell. Zolemba zanga, monga pulogalamu yaumbanda yambiri ya PowerShell, kenako ndikutsitsa zolemba za PowerShell patsamba lakutali. Kenako, mwachitsanzo, ndidakweza PS yopanda vuto yomwe idasindikiza uthenga pazenera. Koma nthawi zikusintha, ndipo tsopano ndikufuna kusokoneza zochitikazo.
PowerShell Empire ndi Reverse Shell
Chimodzi mwazolinga zantchitoyi ndikuwonetsa momwe (mochepera) wobera amatha kudumpha chitetezo chambiri komanso ma antivayirasi. Ngati blogger wa IT wopanda luso lopanga mapulogalamu, monga ine, atha kuchita madzulo angapo (osazindikirika kwathunthu, FUD), taganizirani kuthekera kwa wobera wachinyamata yemwe ali ndi chidwi ndi izi!
Ndipo ngati ndinu wothandizira zachitetezo cha IT, koma manejala wanu sakudziwa zomwe zingachitike chifukwa chowopseza izi, ingomuwonetsani nkhaniyi.
Obera amalota kupeza mwayi wofikira pa laputopu kapena seva ya wozunzidwayo. Izi ndizosavuta kuchita: zonse zomwe wobera ayenera kuchita ndikupeza mafayilo achinsinsi pa laputopu ya CEO.
Mwanjira ina ine kale za PowerShell Empire post-production runtime. Tiyeni tikumbukire chomwe icho chiri.
Ndi chida choyesera cholowera cha PowerShell chomwe, mwazinthu zina zambiri, chimakulolani kuyendetsa chipolopolo chosinthika mosavuta. Mukhoza kuphunzira mwatsatanetsatane pa .
Tiyeni tiyese pang'ono. Ndinakhazikitsa malo otetezeka oyesera pulogalamu yaumbanda mumtambo wa Amazon Web Services. Mutha kutsata chitsanzo changa kuti muwonetse mwachangu komanso mosatekeseka chitsanzo chachiwopsezo ichi (osati kuthamangitsidwa chifukwa choyendetsa ma virus mkati mwa bizinesi).
Mukakhazikitsa PowerShell Empire console, mudzawona chonga ichi:
Choyamba inu kuyamba omvera ndondomeko pa owononga kompyuta. Lowetsani lamulo "omvera", ndipo tchulani adilesi ya IP ya dongosolo lanu pogwiritsa ntchito "set Host". Kenako yambani njira yomvera ndi lamulo la "execute" (pansipa). Chifukwa chake, kumbali yanu, muyamba kudikirira kulumikizana ndi netiweki kuchokera ku chipolopolo chakutali:
Kumbali inayi, muyenera kupanga nambala ya wothandizira polemba lamulo la "launcher" (onani pansipa). Izi zidzatulutsa code ya PowerShell kwa wothandizira wakutali. Dziwani kuti idasungidwa mu Base64, ndikuyimira gawo lachiwiri lazolipira. Mwanjira ina, kachidindo yanga ya JavaScript tsopano ikokera wothandizira uyu kuti ayendetse PowerShell m'malo mosindikiza mwachisawawa pazenera, ndikulumikizana ndi seva yathu yakutali ya PSE kuti muthamangitse chipolopolo.
Matsenga a reverse shell. Lamulo lolemba la PowerShell lilumikizana ndi omvera anga ndikuyambitsa chipolopolo chakutali.
Kuti ndikuwonetseni kuyesaku, ndinatenga udindo wa munthu wosalakwa ndikutsegula Evil.doc, potero ndikuyambitsa JavaScript yathu. Mukukumbukira gawo loyamba? PowerShell yakhazikitsidwa kuti iteteze zenera lake kuti lisatuluke, kotero wozunzidwayo asazindikire zachilendo. Komabe, ngati mutsegula Windows Task Manager, muwona njira yakumbuyo ya PowerShell yomwe singapangitse alamu kwa anthu ambiri. Chifukwa ndi PowerShell wamba, sichoncho?
Tsopano mukathamanga Evil.doc, njira yobisika yakumbuyo idzalumikizana ndi seva yomwe ikuyenda PowerShell Empire. Nditavala chipewa changa choyera cha pentester, ndinabwerera ku PowerShell Empire console ndipo tsopano ndikuwona uthenga woti wothandizira wanga akugwira ntchito.
Kenako ndidalowetsa lamulo la "interact" kuti mutsegule chipolopolo mu PSE - ndipo pamenepo ndinali! Mwachidule, ndidasokoneza seva ya Taco yomwe ndidakhazikitsa ndekha kamodzi.
Zomwe ndakuwonetsani sizikufuna kuti muzichita zambiri. Mutha kuchita zonsezi mosavuta panthawi yopuma masana kwa ola limodzi kapena awiri kuti muwongolere chidziwitso chanu chachitetezo. Ndi njira yabwino yomvetsetsa momwe obera akudutsa malire anu achitetezo akunja ndikulowa mkati mwa makina anu.
Oyang'anira IT omwe akuganiza kuti apanga chitetezo chosatheka kuti asalowerere kulikonse adzapezanso maphunziro - ndiko kuti, ngati mungawatsimikizire kukhala nanu nthawi yayitali.
Tiyeni tibwerere ku zenizeni
Monga ndimayembekezera, kuthyolako kwenikweni, kosawoneka kwa ogwiritsa ntchito wamba, kumangokhala kusiyanasiyana kwa zomwe ndafotokoza kumene. Kuti nditolere zofalitsa zotsatila, ndinayamba kufunafuna chitsanzo pa HA chomwe chimagwira ntchito mofanana ndi chitsanzo changa. Ndipo sindinafune kuziyang'ana kwa nthawi yayitali - pali zosankha zambiri za njira yowukira yofananira patsamba.
Pulogalamu yaumbanda yomwe ndidapeza pa HA inali script ya VBA yomwe idayikidwa mu chikalata cha Mawu. Ndiye kuti, sindikufunikanso kunamizira kukulitsa kwa doc, pulogalamu yaumbanda iyi ndi chikalata chowoneka bwino cha Microsoft Word. Ngati mukufuna, ndinasankha chitsanzo ichi chotchedwa .
Ndidaphunzira mwachangu kuti nthawi zambiri simungathe kukokera zolemba zoyipa za VBA kuchokera pachikalata. Ma hackers amawapanikiza ndikuwabisa kuti asawonekere mu zida zazikulu za Mawu. Mudzafunika chida chapadera kuti muchotse. Mwamwayi ndinapeza scanner Frank Baldwin. Zikomo, Frank.
Pogwiritsa ntchito chida ichi, ndinatha kutulutsa code ya VBA yosadziwika kwambiri. Zinkawoneka motere:
Kusokonezeka kwachitika ndi akatswiri m'munda wawo. Ndinachita chidwi!
Zigawenga ndizabwino kwambiri pakusokoneza ma code, osati monga kuyesetsa kwanga popanga Evil.doc. Chabwino, mu gawo lotsatira tidzatulutsa VBA debuggers, kulowa mozama mu code iyi ndikuyerekeza kusanthula kwathu ndi zotsatira za HA.
Source: www.habr.com